Thank you

We respond to all inquiries as quickly as possible – often the same day. If you need to speak with us right away please contact us by phone.

Loading...

Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers – is the security community’s go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Multi-Stage Email Word Attack Without Macros

Malware authors often distribute malware through code macros in Microsoft Office documents such as Word, Excel, or PowerPoint. Regardless of the particular Office version, macros can be executed whenever the user opens the file. By default users get warnings from Office that the file they are about to open will run a macro, but at that point it's up to the user to decide whether to take the risk.

Recently, we have been receiving a lot of standard macro-related downloaders, most of them distributed from the Necurs botnet. However, the sample we look at today takes a longer, macro-less approach.

We have been monitoring an email spam campaign where opening the attachment downloads a password stealer as its final payload. However, getting to that payload uses a four-stage infection process, as summarized below.

Listed below are the some of email subjects used in the spam campaign:

TNT STATEMENT OF ACCOUNT – {random numbers}...............

Request for Quotation (RFQ) - <{random numbers}>

Telex Transfer Notification

SWIFT COPY FOR BALANCE PAYMENT

We examine the email and find that it has a Word document attachment (receipt.docx)

Word documents with Office 2007 Open XML Formats are based on XML and ZIP archive technologies. Anyone can easily manipulate data in a Word 2007 file programmatically or manually. As shown below, the DOCX attachment contains an embedded OLE object that has external references. This 'feature' allows external access to remote OLE objects to be referenced in the document.xml.rels.

When user opens the DOCX file, it causes a remote document file to be accessed from the URL: hxxp://gamestoredownload[.]download/WS-word2017pa[.]doc. This is actually a RTF file that is downloaded and executed.

The RTF file exploits the recent CVE-2017-11882 vulnerability that targets the MS Equation Editor tool. For more information about this vulnerability, click here

When the RTF file is run, by decoding the ASCII to its equivalent values, it will execute an MSHTA command line which downloads and executes a remote HTA file.

The HTA file contains VBScript with obfuscated code. By decoding each character code in VBScript, it reveals a PowerShell Script which eventually downloads and executes a remote binary file.

Finally, we get the final payload which is a Password Stealer Malware.

Adds and modifies registry:

The malware steals credentials from email, ftp, and browser programs by concatenating available strings in the memory and usage of the APIs RegOpenKeyExW and PathFileExistsW to check if registry or paths of various programs exist:

Email Programs (Memory Strings)

Browser Programs (Memory Strings)

FTP Programs (Memory Strings)

Finally, the malware will send data to its C&C via a HTTP POST:

It's pretty unusual to find so many stages and vectors being used to download malware. Indeed, this approach can be very risky for the malware author. If any one stage fails, it will have a domino effect on the whole process. Another noticeable point is that the attack uses file types (DOCX, RTF and HTA), that are not often blocked by email or network gateways unlike the more obvious scripting languages like VBS, JScript or WSF.